New Data Gives Peek at European IMSI Catcher Exports
Data obtained through a Freedom of Information Act style-request shows Finnish companies exporting powerful surveillance technology to Mexico, Colombia, and the United Arab Emirates.
As Motherboard has found through Freedom of Information Act requests and government data, the UK is a heavy exporter of surveillance technology around the world. But they’re not the only European country shipping powerful spying devices. New records shared with Motherboard show companies from Finland are deeply involved in the international sale of equipment to sweep up phone calls and track devices.
The data, as well as comments from the Finnish government, highlight the balancing act those granting exports have to play when deliberating whether to allow a company to sell spy tech to certain countries—and how, according to campaigners, European countries sometimes grant licenses they should not due to human rights concerns.
“Finland’s government is rightly proud of regularly being ranked top in the world for press freedom, but is at the same time green-lighting the sale of this tech to state authorities in countries where journalists are known to be targets of surveillance—it’s massively disappointing,” Edin Omanovic from activist group Privacy International, which shared the records, told Motherboard.
Using a Freedom of Information style-request, Privacy International obtained data from Finland’s Ministry for Foreign Affairs (MFA) on granted export licenses around so-called dual-use products. Included in those records are over 80 licenses between 2015 and 2017 related to telecommunications interception equipment.
Got a tip? You can contact this reporter securely on Signal on +44 20 8133 5190, OTR chat on firstname.lastname@example.org, or email email@example.com.
As Teemu Sepponen, the director of the export control unit in MFA told Motherboard in an email, Finland is transparent with its export data: the records also explicitly name the company providing the technology, and often provide details on the product itself. Sepponen added that the records include licenses for both temporary and permanent export, meaning some of the items may have only been for demonstration purposes, for instance.
One company repeatedly mentioned in the data is EXFO, a firm which, on its website, emphasizes its services for detecting radio-frequency interference but also sells surveillance technology to government agencies. Many of the EXFO exports are for the company’s IMSI catcher software and related piece of hardware dubbed NetHawk. NetHawk is capable of monitoring traditional mobile networks as well as LTE, can track phones’ locations and intercept texts and calls, and the NetHawk device itself is small enough to fit inside a backpack or shoulder bag, according to an EXFO brochure, obtained by Privacy International and shared with Motherboard.
The EXFO licenses include exports to Bosnia, Oman, Indonesia, Mexico, Serbia, Morocco, Colombia, the United Arab Emirates (UAE), Kuwait, and Macedonia. The UAE has previously used sophisticated spyware to repeatedly target a human rights dissident, and Mexico is still in the midst of a scandal around how its government used hacking tools on journalists and activists.
“When surveillance becomes so easy for state authorities, it’s no wonder that people standing up for their rights are under siege around the world. Some of these countries lack basic rule of law—let alone a sufficient legal framework governing the use of this tech; resulting abuses are completely foreseeable,” Omanovic said.
EXFO did not respond to a request for comment.
To be clear, the Finnish MFA has also denied exports for IMSI catchers to certain countries, Sepponen said. Sepponen mentioned Bangladesh, Thailand, and Laos.
“When considering whether or not to issue an export license for this kind of products, Finland MFA considers very carefully each and every application. We will consider the technical parameters of the product, the stated end-use, the stated end-user and its reliability, risks of diversion to another end user than the one in the application, and the country of destination. Human rights considerations are very important for us in this assessment,” Sepponen added.